Decision deepens circuit split on scope of CFAA

On April 10, the 9th Circuit ruled in U.S. v. Nosal that employees who violate workplace computer policies or website terms of use are not criminally liable under the federal Computer Fraud and Abuse Act (CFAA), which allows for the prosecution of anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access.” The decision represents a split with several other circuits, which could result in the issue heading to the Supreme Court.

David Nosal resigned as head of the CEO practice group at executive recruiting firm Korn/Ferry International in October 2004. After his departure, Nosal allegedly tried to start a competing business by convincing three former colleagues to download a confidential client database in violation of Korn/Ferry’s company policy.

The government indicted Nosal on numerous violations of the CFAA, arguing that although Nosal’s co-workers had authorization to access the confidential database, they had exceeded authorized access by subsequently misusing this information. Nosal sought a dismissal of the case, saying that the CFAA was an antihacking statute that should not be used to prosecute computer usage violations.

A district court agreed with Nosal, citing the 9th Circuit’s precedent in LVRC Holdings LLC v. Brekka (see “The Brekka Precedent” ). The 9th Circuit panel initially reversed the lower court’s ruling in April 2011, but one year later, an en banc ruling reaffirmed the lower court’s decision to dismiss the case.

Changing Course

In its most recent opinion, the 9th Circuit returned to its Brekka position and took a narrow interpretation of what constitutes “unauthorized access.” Under the new standard, if a company allows its employees to use work computers, it has granted them authorization to access any information they can reach without “the circumvention of technological access barriers,” such as password protections.

This is far from 9th Circuit’s original Nosal ruling. According to BrittonTuma Founding Partner Shawn Tuma, the court may have taken public opinion into account when reversing its position. “This case was a beautiful example of the power of framing the issue in a legal case,” Tuma says. “In this appellate opinion, it barely even mentioned the actual facts of this case. It talked all about the public policy and the fears that had been ginned up over the past year.”

The court’s opinion makes extensive references to the CFAA’s broader implications, namely that minor violations of computer usage policies—such as checking Facebook, playing Sudoku or sending personal emails—could result in criminal charges. Writing the opinion for the court, Judge Alex Kozinski worried that the government’s interpretation of the CFAA would “transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved.”

Judge Barry Silverman criticized the majority’s use of “far-fetched hypotheticals” in his dissent. He focused on the CFAA’s prohibition of “exceed[ing] unauthorized access,” arguing that Nosal and his co-workers clearly exceeded their access by using confidential information with the intent to defraud their company.

Silverman also noted that the 9th Circuit’s decision contrasts sharply with rulings by the 5th, 7th and 11th Circuits, which applied the CFAA more broadly in U.S. v. John, International Airport Centers v. Citrin and U.S. v. Rodriguez, respectively. “What those courts have focused on is that there is a requirement that there be an intent to defraud in connection with the access or improper action in question,” says Hahn Loeser Partner John Marsh, who speculates that the circuit split may ultimately send the case to the Supreme Court.

In his opinion, Judge Kozinski acknowledged the split, but urged the other circuits to reconsider their stance, saying that they “looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of ‘exceeds authorized access.’”

Practical Implications

Until the split is resolved, companies should be aware of how courts view the CFAA in their jurisdictions. In the 9th Circuit, the Nosal ruling has raised the bar for employers trying to recover misappropriated information. “Even if you didn’t have the strongest level of information, you still got some cachet with CFAA claims,” Seyfarth Shaw Partner Robert Milligan says. “[Nosal] may make it more difficult to pursue claims against employees, particularly if the information is what the company would consider confidential and proprietary, but not a trade secret.”

In light of Nosal, Tuma advises employers to regularly re-evaluate their computer access policies. “Have policies in place that limit permission to access,” he says. “For different employees at different levels, take the time to delineate what authority they have. Don’t just have a blanket policy, where everybody has free rein to x, y and z.”

Even if an employee does manage to misuse information, employers are not without recourse. Businesses can still pursue misbehaving employees with charges including misappropriation of trade secrets, breach of contract and theft. “At the end of the day, the CFAA is one remedy, and every state still provides a course of action or a civil action for an employer that feels confidential information has been stolen or misappropriated,” Marsh says.